All of a sudden we are getting SSL Certificate expired while using deep packet inspection today

It seems like the errors are all from R3 authority which from what I am seeing is related to LetsEncrypt. The odd thing is that it says the certificate is expired, but the error message shows that the certificates are within the correct time. This just all of a sudden started happening. Websites like amazon and google have no issues. Anyone else having this issue?

Final Update:

Fortinet KB Article: https://kb.fortinet.com/kb/documentLink.do?externalID=FD53305

Fortinet response: https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates

Update your certificate bundle following /u/niffur00 instructions

A root certificate that is used by LetsEncrypt has expired https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

There are workarounds, but please be aware that your security posture may be reduced. It seems as if the old KB for the AddTrust External CA updated KB article has the same workarounds that others are suggesting in this post. https://kb.fortinet.com/kb/documentLink.do?externalID=FD49028. I don’t know what Fortinet is doing, but they updated this KB with info regarding DST Root CA X3, yet now they have removed all references to it. I believe the information is still relevant.

If you do choose to allow invalid certificates, may I suggest that instead of choosing to allow All, that you instead use the β€œCustom” option and choose β€œTrust and Allow” for expired certificates (if that is an option on your version).

Expect Fortinet to release a new certificate bundle, as /u/niffur00 suggests and the KB article describes, please be on the lookout for this new bundle and update when ready. My current certificate bundle reads version 1.00027. Apparently Fortinet has released a new certificate bundle version 1.00028. I am unable to confirm if this works, so please post your results.

πŸ‘︎ 198
πŸ’¬︎
πŸ‘€︎ u/SerialDongle
πŸ“…︎ Sep 30 2021
🚨︎ report
VPN that bypasses Deep Packet Inspection VPN blocking

Hello! I searched the sub for this topic but didn't find anything (if you do please link me, thank you :). )

Basically our uni blocks VPNs via DPI and I wanted to know if there is any way / vpn provider that bypasses this with some fancy protocol.

Thanks for your help! :)

πŸ‘︎ 13
πŸ’¬︎
πŸ‘€︎ u/SHCNCR
πŸ“…︎ Nov 23 2021
🚨︎ report
Ssl certificates and deep packet inspection

So We just got a brand new Fortigate 200f firewall for our organization . We have about 100 active users and about 500-600 devices (smart phones , tablets, pc’s, macs, iot devices ) So we want to implement ssl certificate with deep packet inspection.

What is the simplest way of getting these certificates installed on each device ?

πŸ‘︎ 4
πŸ’¬︎
πŸ‘€︎ u/Canada_True
πŸ“…︎ Oct 12 2021
🚨︎ report
CMV: Deep packet inspection breaks zero trust

Hi,

I just had a thought today, and it may be obvious/common knowledge, but I see DPI being touted as a security feature and it always rubbed me the wrong way. I think I finally found a framework to express how it rubs me the wrong way.

So for context, I mostly work in cloud, but I know datacenter too and this still applies to datacenter networking. Current best practices are to implement what's called "zero trust", which is basically just an extension/rewording of older best practices of "don't make a big central firewall". So for zero trust to exist, there cannot be a central point of trust. To build on this, it is best practice, at least in cloud, to encrypt all data in transit (in AWS, all endpoints they give you from ALBs to SQS queues are all HTTPS) even if the traffic is "internal". So, to implement DPI in this setup, you route all traffic across a centralized point that inspects the traffic and applies rules, but its encrypted so you can only get the header information.

This leaves 2 possibilities:

  • You only inspect the headers
  • You decrypt SSL on device with injected certificates

If you only inspect the headers, then what's the point of a central firewall? Especially in cloud where everything gets a firewall through security groups or equilavent, though any ol' device can do basic header filtering with minimal overhead.

If you decrypt SSL, then that creates a central point of trust since it has certificates accepted by all devices and its also a central point for data collection.

Is there something wrong with this logic? It seems that common practice is to implement it but I don't see the actual benefit of implementing it.

πŸ‘︎ 80
πŸ’¬︎
πŸ‘€︎ u/hi117
πŸ“…︎ Jul 21 2021
🚨︎ report
Passive Deep Packet Inspection blocker and Active DPI circumvention utility github.com/ValdikSS/Goodb…
πŸ‘︎ 17
πŸ’¬︎
πŸ‘€︎ u/Chii
πŸ“…︎ Oct 29 2021
🚨︎ report
Bypass deep packet inspection with Raspberry Pi

Hi,

Recently I have been trying to setup a way to bypass DPI using a rasperry pi 4.

All of the tutorials that I have tried to follow have stopped working at some point.

Could somone send me one that has worked for them, or maybe reccomend a different option?

Any ideas what I might have missed here?

Thanks in advance!

Spider

πŸ‘︎ 6
πŸ’¬︎
πŸ‘€︎ u/SpiderBlitz
πŸ“…︎ Sep 01 2021
🚨︎ report
Deep Packet Inspection

Do you guys keep this enabled or disabled? I was looking to get the highest possible bandwidth out of my network

πŸ‘︎ 2
πŸ’¬︎
πŸ‘€︎ u/audiophileguy
πŸ“…︎ Aug 12 2021
🚨︎ report
Microsoft Store and Deep Packet Inspection

Does Microsoft have something against deep packet inspection? I have the certs set up right, our FortiGate is the issuer for all website certs I look at, and they show as valid with no certificate errors. This is on my workstation - I have a separate policy for traffic from my workstation's IP and that's all that is being deep inspected (testing purposes). I can browse the Microsoft store but cannot download apps due to error code 0x80072F8F, but it works if I disable deep inspection. Nothing is being blocked by the web or app filter. I googled the error code and it seems to be SSL related, and it appears some people get this for Windows Update and Activation too (I haven't, but that could be because we have WSUS and I haven't reinstalled Windows since turning DPI on). What needs to be done to get communication with Microsoft to honor the same trusted CA's that everything else honors? I know I can create an exception and just not inspect traffic to M$ but I'd rather get it working correctly.

πŸ‘︎ 2
πŸ’¬︎
πŸ‘€︎ u/JadziasBoyfriend
πŸ“…︎ Jun 14 2021
🚨︎ report
Is anybody working on a way to make in really hard for deep packet inspection to detect traffic from Bitcoin nodes to prevent your ISP from detecting you are running a node at your home connection and shut down your internet cause you are breaching their SLA.

So far governments have generally speaking said: alright we will allow your Bitcoin.

This is because right now Bitcoin just moves fiat around from the pockets of losers to the pockets of winners. The government don't give a shit about that. Fiat goes in, fiat comes out. Not a problem.

But if this ever changes, and it migth (we are working hard on changing this)

Goverments around the world can get together in their G9 bildeberg meetings or whatever they call em and the 0.001% can all agree to make crypto illegal.

This means:

  • ISP's will be forced by law to do deep packet inspection and shut your internet down if you are running a node.

  • Every exchange that is a bank will lose their banking license

  • Every centralised exchange will be shut down and their fiat assets frozen by a request to their bank that the bank by law has to follow.

Now 1 BCH will still be 1 BCH even if every cex goes offline.

But users risking t heir ISP's shutting down their internet when Bitcoin related traffic is detected.

That is HUGE issue.

Let's say that 2 years from now this will happen in The USA and the UK first and 1 year later in most european countries,.

Let's say within 5 years this will happen in most european countries.

How do we counter this TODAY? Or do we just hope it won't happen.

Or will Spacex soon be the only internet that will allow Bitcoin traffic so that Elon Musk can control like absolutely everything?

πŸ‘︎ 17
πŸ’¬︎
πŸ“…︎ Apr 01 2021
🚨︎ report
Can outline vpn resists deep packet inspection?

Hi, guys, my old vpn was blocked by my isp so I have to change one. I choose outline because it is easy to deploy.But I've heard that shadowsocks traffic can be analysised by deep packet inspection,also the article

https://medium.com/jigsaw/introducing-outline-making-it-safer-to-break-the-news-feda4d047b4

states that Outline supports modern AEAD 256-bit cipher encryption and is resistant to probing and stronger against protocol fingerprinting, which makes it significantly harder to block by modern deep-packet-inspection software.

Can somebody tells more detail? Does outline really resists deep packet inspection?

πŸ‘︎ 3
πŸ’¬︎
πŸ‘€︎ u/wowwcm
πŸ“…︎ May 17 2021
🚨︎ report
At least 186 EU ISPs use deep-packet inspection to shape traffic, break net neutrality zdnet.com/article/186-eu-…
πŸ‘︎ 15k
πŸ’¬︎
πŸ‘€︎ u/mvea
πŸ“…︎ May 18 2019
🚨︎ report
Mullvad vs Deep Packet Inspection

I'am in an very restrictive Network. Wireguard on Port 53 not Working. Openvpn with or without Shadowsocks also not working i receive following error. With a bit reverse engineering i found out, that they using a zscaler appliance with DPI on Port 443. Do someone have an advise for me. I'am using the official Mullvad App.

"2021-04-19 13:19:42 WARNING: Bad encapsulated packet length from peer (5379), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]"

πŸ‘︎ 3
πŸ’¬︎
πŸ‘€︎ u/CookieCr2nk
πŸ“…︎ Apr 19 2021
🚨︎ report
Firewall/routing decision + Is Deep Packet Inspection pointless these days?

Bit of rambling here sorry. Looking for general thoughts/feedback.

Having a lot of trouble with decision overload and researching how best to secure my homelab.

I bought an itx machine with intel 4160 and 4gb ram to run pfsense because I thought "Deep Packet Inspection" was a must have feature. (haven't yet set it up)

Since then I've been seeing a few comments that DPI is worthless these days because you can't inspect https (which mostly everything is now).

You can unencrypt https to inspect but that's a security concern in itself, because you shouldn't be "man in the middle-ing" yourself.

What are homelab's thoughts?

If DPI is pointless then I will start my research again because tbh everything was focused around having DPI support.

My ideal goal is I want a good firewall than can zone different devices. IOT devices in one zone, wifi (that visitors connect to) in another zone, and my servers/pc in another zone.

What options would you consider more beginner friendly? I haven't done much security/networking so a nice GUI that's easy to understand will be a huge bonus. I really want this to be as ironclad secure as possible.

Secondary wishlist is... Is there a nice firewall/routing solution that would run on a Raspberry Pi? (With a usb 3 gigabit adapter for second Ethernet port)

In the long term I want to convert all my homelab stuff to Rasperry Pi 4B's. None of my servers are doing anything intensive so I'd love to go all Pi's :-) But less important for now

Thanks guys

πŸ‘︎ 4
πŸ’¬︎
πŸ‘€︎ u/ryncewynd
πŸ“…︎ Mar 17 2021
🚨︎ report
CM4 for deep packet inspection

Saw u/geerlingguy’s video on the dual NIC CM4 host boards and really want to play with it. But what do I need two NICs for? I already have a very capable router.

I could use it as a firewall, but the router (Mikrotik RB4100) already has this built in.

So I was wondering what else I could use it for, positioned in between the router and fiber media box, deep packet inspection. Or would there be zero point to that as it’s just way too slow?

(On a 1000/300 connection)

πŸ‘︎ 3
πŸ’¬︎
πŸ‘€︎ u/robdejonge
πŸ“…︎ May 30 2021
🚨︎ report
Russia now. God’s in his Deep Packet Inspection… All’s blocked with the world.
πŸ‘︎ 39
πŸ’¬︎
πŸ‘€︎ u/virysD
πŸ“…︎ Mar 17 2021
🚨︎ report
Why Do we want Deep Packet Inspection?

So if most internet traffic now days is encrypted what's the point of deep packet inspection on the sonicwall? Also I notice one of our sonicwalls has an expired security license so the deep packet features don't work, but yet, the sonicwall itself is still performing the deep packet inspection and slowing down traffic.

What's the point of having the sonicwall inspect traffic if number 1 you don't have a license for it. Or number 2 everything is basically encrypted anyway? I'm just curious, does deep packet inspection actually perform any benefit? I constantly have to turn it off.

On the sonicwall with the security license, deep packet inspection gives me a little bit more visibility into my layer 7 network traffic, on my bandwidth graphs. I can see facebook traffic vs aspera traffic or whatever. Is that the only benefit?

πŸ‘︎ 3
πŸ’¬︎
πŸ‘€︎ u/MudKing1234
πŸ“…︎ Jan 26 2021
🚨︎ report
GoodbyeDPI - A Deep Packet Inspection blocker to circumnavigate ISP throttling and website blocks github.com/ValdikSS/Goodb…
πŸ‘︎ 956
πŸ’¬︎
πŸ‘€︎ u/meantbent3
πŸ“…︎ Oct 02 2019
🚨︎ report
More-detailed deep packet inspection?

Recently joined the Unifi ecosystem after several years with Cisco Meraki, and one thing I haven't yet found is how to see more detailed information about which hosts that a given client is accessing.

This is the sort of information I used to be able to see with the Meraki setup:

https://i.imgur.com/O4k2ZVE.png

Compare with the Unifi:

https://i.imgur.com/AyAvxnN.png

I'd like to start tuning firewall rules for my IoT devices since some of them do rely on internet connectivity, but it's difficult to build and troubleshoot these if I cannot see the hosts they're talking to.

πŸ‘︎ 19
πŸ’¬︎
πŸ‘€︎ u/run-the-joules
πŸ“…︎ Dec 07 2020
🚨︎ report
Zoom Deep Packet Inspection

Hi all,

Just wondering if anyone has attempted to do DPI on Zoom traffic? I'm looking to log Zoom chat traffic between students (we're an education institution). Currently Zoom is in the SSL exclusion list and I looking at taking it out of the list however whenever I do, Zoom complains that there is an issue with the certificate. I am wondering if there is some way of allowing the app to trust the Firewall certificate, (i.e. similar to Google Drive File Stream roots.pem allows you to merge the file together or a registry/policy option) so we can start logging data in FortiAnalyzer.

Any ideas would be greatly appreciated.

πŸ‘︎ 5
πŸ’¬︎
πŸ‘€︎ u/mrnemesisman
πŸ“…︎ Oct 08 2020
🚨︎ report
Unifi have seriously Nerfed their Deep Packet Inspection...

I see videos of people using DPI on their Unifi networks and its incredible. I've spent the money and they are some great products but the DPI isnt anything like it is in videos from just 3 years ago. What happened?

Is there any alternative that achieves what this used to be able to do?

πŸ‘︎ 2
πŸ’¬︎
πŸ‘€︎ u/tomorrownightuk
πŸ“…︎ Oct 26 2020
🚨︎ report
GreenTunnel bypasses DPI (Deep Packet Inspection) systems without changing IP or server endpoints. (Linux, macOS, and Windows + docker)
πŸ‘︎ 80
πŸ’¬︎
πŸ‘€︎ u/SadeghHayeri
πŸ“…︎ Mar 14 2020
🚨︎ report
Deep packet inspection to classify V2Ray traffic

In last 3 months, I'm verifying the patent claim by replicating it with code and data.

First, I spent two months to write a TCP packet sorter. Then I collected home traffic for a month where I mixed v2ray traffic with other normal network traffic.

Last night, I stopped capturing packet data and started to build a classifier. I spent two hours to write a 1D Convolution Neutral Network to do binary classification on v2ray traffic and non-v2ray traffic.

To my surprise, I can achieve classification accuracy rate up to 98.86%. In a nutshell, the patent claim is real.

I shared my classification model in Python notebook and findings in my blog post.

πŸ‘︎ 10
πŸ’¬︎
πŸ‘€︎ u/rickyzhang82
πŸ“…︎ Jan 19 2020
🚨︎ report
Banning an app like TikTok doesn’t just mean removing it from the PlayStore. ISPs can use techniques like Deep Packet Inspection and make life extremely difficult for the app maker
πŸ‘︎ 18
πŸ’¬︎
πŸ‘€︎ u/BigSurround2
πŸ“…︎ Jun 29 2020
🚨︎ report
Deep Packet Inspection without license?

Hey Guys,

We have a sonicwall and it’s anti-gateway (IPS) virus app viz license has expired years ago. I’m still able to update firmware by downloading from our sonicwall account. So the firewall is up to date.

So I’ve noticed that by default the deep packet inspection (DPI) is turned on, for the allow all rule on the LAN to outbound traffic.

Some of our users are complaining of poor upload speed. I have to disable DPI on the endpoint IP in order for full speed to occur.

In order to disable DPI, I had to manually add an access rule to match the endpoint IP in the LAN to WAN rules and then disable DPI. After the disable, bandwidth speeds improved and CPU consumption is also reduced.

Now, to my question. If I don’t have the Intrusion Prevention System license activated, is the DPI actually doing anything other than slowing down my network and consuming CPU cycles?

-MUD

πŸ‘︎ 4
πŸ’¬︎
πŸ‘€︎ u/MudKing123
πŸ“…︎ Aug 08 2020
🚨︎ report
GreenTunnel: anti-censorship utility designed to bypass deep packet inspection github.com/SadeghHayeri/G…
πŸ‘︎ 71
πŸ’¬︎
πŸ‘€︎ u/viktex1d
πŸ“…︎ Mar 23 2020
🚨︎ report
GoodbyeDPI - A Deep Packet Inspection blocker to circumnavigate ISP throttling and website blocks github.com/ValdikSS/Goodb…
πŸ‘︎ 123
πŸ’¬︎
πŸ‘€︎ u/meantbent3
πŸ“…︎ Oct 02 2019
🚨︎ report
GoodbyeDPI - A Deep Packet Inspection blocker to circumnavigate ISP throttling and website blocks github.com/ValdikSS/Goodb…
πŸ‘︎ 70
πŸ’¬︎
πŸ‘€︎ u/meantbent3
πŸ“…︎ Oct 02 2019
🚨︎ report
Deep Packet Inspection of my hotspot...Are you guys seeing large Skype traffic through your Helium Hotspot? Not sure why VoiP is involved?
πŸ‘︎ 12
πŸ’¬︎
πŸ‘€︎ u/dingobaby28
πŸ“…︎ Jan 15 2020
🚨︎ report
UDM Deep Packet Inspection stats

Does anyone know from where exactly DPI is pulling its stats?

Set up the UDM around 90 mins ago and DPI for my laptop is showing over 5 TB.

It looks like it pulled historic data because I can guarantee if I did 5 TB domestic in 90 mins the CEO of my ISP would personally knock on my door and disconnect me.

πŸ‘︎ 3
πŸ’¬︎
πŸ‘€︎ u/GitShiggles
πŸ“…︎ May 08 2020
🚨︎ report
ITU Approves Deep Packet Inspection Standard Behind Closed Doors, Ignores Huge Privacy Implications techdirt.com/articles/201…
πŸ‘︎ 3k
πŸ’¬︎
πŸ‘€︎ u/krimms
πŸ“…︎ Dec 04 2012
🚨︎ report
GoodbyeDPI - A Deep Packet Inspection blocker to circumnavigate ISP throttling and website blocks github.com/ValdikSS/Goodb…
πŸ‘︎ 59
πŸ’¬︎
πŸ‘€︎ u/meantbent3
πŸ“…︎ Oct 02 2019
🚨︎ report

Please note that this site uses cookies to personalise content and adverts, to provide social media features, and to analyse web traffic. Click here for more information.